.NET Framework September 2017 Security and Quality Rollup

[Brink]

Today, we are releasing the September 2017 Security and Quality Rollup and Security Only Update.This update applies to Windows 7 and later client versions and Windows Server 2008 and later server versions.

Security

This release contains the following security changes.

CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploited this vulnerability in software using the .NET framework could take control of an affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To exploit the vulnerability, an attacker would first need to convince the user to open a malicious document or application.

The security update addresses the vulnerability by correcting how .NET validates untrusted input.

More Information: CVE-2017-8759

Quality and Reliability

This release contains the following quality and reliability improvements.

ASP.NET

• Values added to System.Web.Cache expire immediately, with .NET Framework 4.7. [452228]
  • Also reported at ASP.NET Forums #2123507
• ASP.NET site running on Sitefinity broken, with .NET Framework 4.7. [457739]

CLR

• CRWLock::StaticAcquireWriterLock() never returns if Int32.MaxValue number of ReaderWriterLock objects are created, with .NET Framework 3.5. [242568]
• Crash in CLR assembly metadata reader. [367294]
  • Also reported at ASP.NET Forums #2106799
  • Also reported at StackOverflow #40272099
  • Also reported at Connect #3111237
• .NET remoting IPC listener thread exits and leaves an orphaned IPCServerchannel. [454409]
• Silent bad codegen when optimizing expression. [460765]
  • Also reported at dotnet/coreclr #11574
• Crash in Visual Studio due to race in CLR assembly loader. [462762]
• Runtime underallocates arrays by one element in rare cases when jitting large methods. [463604]
• AppContext feature opt-in/out not functioning correctly. [469020]
  • More information: .NET Framework Update for AppContext

Management

• Reboot method of Win32_OperatingSystem has Privilege not held exception [441901]

Networking

• HTTPWebRequest times out when switching to TLS after installing update KB4019112. [465796]

WCF

• NetTcp with X509Certificates using SslStream uses the default TLS version as the OS, with .NET Framework 4.7. [451528]

Windows Forms

• Excessive object creation in a performance-critical code-path leading to performance regressions and/or displaying empty UI and/or exhausting GDI+ handles. [452048]
• Multi-Mon support: Controls with non-default anchoring are moved around the screen when scaling is changed [462872].
  • Note: This fix will be made available for Windows 10 1607 (Anniversary Update) in October.

WPF

• WPF fails to load resources if two versions of the same assembly are loaded. [378607]
  • Note: This fix will be made available for Windows 10 1703 (Creators Update) in October.
• WPF consumes high % of CPU in Visual Studio when console session not active. [391184]
  • Note: This fix will be made available for Windows 10 in October.
• Visual Studio fails due to “Unable to load DLL ‘PenIMC.dll’” error. [452476]
  • Note: This fix will be made available for Windows 10 1703 (Creators Update) in October.
• Application crash due to call into DWrite. [453529]
  • Note: This fix will be made available for Windows 10 in October.
• TargetFrameworkName is null with mixed mode application. [425074]
  • Note: This fix will be made available for Windows 10 1703 (Creators Update) in October.
• Event leak with WPF application on touch screen monitors on Windows 10. [434946]
  • Note: This fix will be made available for Windows 10 1703 (Creators Update) in October.

Note: Fixes are not always available for all Windows versions at the same time. This situation is noted where appropriate, and where the information is available, a release date is provided.

Note: Additional information on these improvements is not available. The VSTS bug number provided with each improvement is a unique ID that you can give Microsoft Customer Support, include in StackOverflow commentsor use in web searches.

Getting the Update

The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, Microsoft Update Catalog, and Docker.

Microsoft Update Catalog

You can get the update via the Microsoft Update Catalog. For Windows 10, .NET Framework updates are part of the Windows 10 Monthly Rollup.


Docker Images

Docker images has not yet been updated as part of today’s release. They will be updated in the shortly. This post will be updated at that time.

Read more: .NET Framework September 2017 Security and Quality Rollup | .NET Blog

 

[jonathancr]

my friend brink where is the real rollup.net download link? it appears many confused links. i dont know which.

 

[Brink]

Hello Jonathan,

If you have Microsoft .NET Framework installed, the update should be available via Windows Update.

For via Microsoft Update Catalog: Microsoft Update Catalog

 

[jonathancr]

Hello Jonathan,

If you have Microsoft .NET Framework installed, the update should be available via Windows Update.

For via Microsoft Update Catalog: Microsoft Update Catalog

Thank you brink, u're really apreciated due your contributions.

 

[RoWin7]

Thanks, Brink. You're always on the ball.

1--MS sends me updates almost daily. PITA. Used to be only on Tues.

2--I have Office 2003 installed, although I don't use it. It's for a hypothetical emergency where Open Office can't open a file. MS Updater keeps showing me Office 10 updates and I keep telling it to "Hide these updates," and they keep coming back, sometimes all, sometimes a few. Any ideas?